Why WordPress Security Should and Does Matter for Marketing Professionals
Tight security for your WordPress website isn’t just one of those “niceties” – it’s essential to businesses of all sizes.
I often work with marketing professionals who never thought their companies would be targets, either because they considered their business “not large enough” or “not prominent” enough to be interesting to hackers, until it happened. A compromised website means lost sales, damaged customer trust, and hours of frustrating cleanup work.
Here in Colorado, we have strong data protection laws that require businesses to notify affected customers and sometimes even the Attorney General when breaches occur that involve customer personal and/or financial data (think e-commerce). The costs to a business of mitigating a breach are not only financial, but also reputational. And if it’s one thing a business cannot afford to lose, it’s its hard-earned good reputation!
We know that not all businesses can afford dedicated security staff. With that in mind, we have created the following checklist that outlines practical security measures that any marketing professional can implement on their own, regardless of technical expertise, to safeguard their company’s website. Each step reduces your risk and helps protect what you’ve worked so hard to build.This guide was built to help anyone get the basics in place. If you run into any trouble along the way, we offer free quick help calls and can usually get you through any rough spots.
Initially & Annually
Users and passwords
Use strong, unique passwords for all users
Implement a password policy for your site. You can enforce it by installing a password strength enforcer plugin (like Password Policy Manager). This will require all users to create complex passwords with minimum requirements. For existing accounts, use the “Force Password Reset” option in your user management panel to make everyone create new, stronger passwords at their next login. Consider sharing a password creation guide with your team.
- All users’ passwords be at least 16 characters long and consist of mixed-case letters, numbers, and symbols
- Use a password generator tool to input requirements and generate strong passwords that meet those requirements
- Visit WordPress’s page about Password Best Practices for detailed information on how to best construct and safeguard passwords
Implement two-factor/multi-factor authentication (2FA/MFA)
Install a 2FA plugin like Two-Factor or Wordfence, which are available through your WordPress website’s plugin directory. After activation, visit the plugin settings to enable it for specific user roles. Users will then need to set up a secondary authentication method uring their next login.
Limit login attempts to prevent brute force attacks
Install a security plugin like Limit Login Attempts Reloaded through your website’s plugin section. After installation, visit the plugin’s settings page and set the maximum number of failed login attempts (typically 3-5) before a temporary lockout occurs.
Store passwords in a secure password management tool
Download and install a reputable password manager like LastPass, Bitwarden or 1Password. After creating your account, simply click the “Add Item” or “+” button to store websites and their passwords. These tools can auto-fill login details for you and generate strong passwords. Many offer browser extensions and mobile apps for convenience. This is a good idea for all your passwords, not just WordPress.
Apply the Principle of Least Privilege (POLP) for user roles
Go to your website’s User Admin page. For each team member, select the role with just enough permissions to do their job – don’t make everyone an Administrator.
- Review existing users and downgrade permissions for users who don’t need extensive access.
- Remove any accounts that no longer need access to the site.
- Limit the number of Administrator accounts.
Form & Data Security
Use Akismet SPAM protection
Akismet is build by the WordPress team and helps reduce SPAM by comparing submission across the WordPress ecosystem. Also, it doesn’t add another step like a CAPTCHA.
Use a Honeypot to deter spambots
Honeypots are invisible form fields that humans can’t see, but bots will fill out. When a form is submitted with data in these hidden fields, your system knows it’s from a bot and can block the submission. This technique is particularly effective because it’s invisible to legitimate users, creating no hiccup in their experience, while still catching bots that blindly complete all available form fields regardless of visibility. Search for Honeypot for your form plugin to find one that works for you.
Use CAPTCHA on login and registration forms
Using CAPTCHA on login and registration forms helps prevent automated bots from creating fake accounts or attempting brute force attacks. This security measure distinguishes between human users and automated programs by requiring completion of tasks difficult for bots but easy for humans. By implementing CAPTCHA, websites can significantly reduce spam registrations, credential stuffing attacks, and other automated threats while ensuring legitimate users can still access services.
Many CAPTCHAs use Googles version, which can be tricky to figure out. Follow this link to a detailed YouTube video on how to sign up for Google’s reCAPTCHA service.
CloudFlare also provides a very good CAPTCHA.
If using a form plugin like Contact Form 7 or WPForms, follow the links to detailed YouTube videos on how to enable CAPTCHA.
Disable XML-RPC if not needed
XML-RPC is a communication protocol that allows external systems to interact with your website. When left enabled unnecessarily, it becomes an attack vector that hackers can exploit to attempt numerous login combinations rapidly or launch distributed denial-of-service attacks. By disabling this feature when you’re not using it for services like mobile apps or content management, you eliminate this potential security vulnerability without affecting normal website operations. How to Disable XML-RPC in WordPress provides three options.
Audit current plugins for security issues
Regularly checking your plugins helps identify outdated or vulnerable components that could compromise your entire website. Many security breaches occur through neglected plugins that contain unpatched vulnerabilities known to attackers. By maintaining an inventory of your plugins, removing unused ones, keeping others updated, and researching security histories before installation, you significantly reduce the risk of having your website compromised through third-party code.
Use our free CommandWP plugin search to find current stats and vulnerabilities for plugins.
Install a Recommended Security Plugin
Go to your WordPress dashboard and navigate to Plugins > Add New. Search for reputable security plugins like Wordfence or Sucuri. Click “Install Now” then “Activate” on your chosen plugin. After activation, follow the plugin’s setup wizard (usually appears automatically) to enable basic protection. Most security plugins offer a dashboard with a “Security Scan” button to identify vulnerabilities and one-click fixes for common issues. Run the initial scan and implement the critical recommendations highlighted by the plugin.
High quality managed hosting services, such as the one offered by WP Support HQ, will handle many of the security protections for you without a plugin slowing down your website.
Monthly
Keep Everything Updated
Plugins, Themes, and WordPress itself regularly release updates that fix newly found security issues, so updating often is important. Keeping up to date also reduces the risk of an update breaking your website.
Update WordPress core to the latest version
Log in to your WordPress dashboard, and if an update is available, you’ll see a notification at the top of your screen or under Dashboard > Updates. Click “Update Now” and wait for the process to complete (usually takes 1-2 minutes). Always back up your site before updating.
Update all plugins regularly
Go to Dashboard > Updates or Dashboard > Plugins to see which plugins need updates. Select the checkboxes next to plugins that need updating (or “Select All”), then click “Update Plugins” and wait for confirmation. Check this area weekly for new updates.
Update all themes (active and inactive)
Navigate to Dashboard > Updates or Dashboard > Appearance > Themes to find themes with available updates. Click the update notification on individual themes or select multiple themes and click “Update Themes” if available. Always update your active theme last after testing updates on a staging site, if you have access to one.
Remove any unused plugins and themes
Go to Dashboard > Plugins or Dashboard > Appearance > Themes, identify unused items, then click “Deactivate” followed by “Delete” for plugins or just “Delete” for inactive themes. Keep only what you actually use to reduce security vulnerabilities. It’s recommended to keep the latest WordPress theme installed, even inactively, in case something breaks on your current theme. Twenty-Twenty Five is the most recent one.
Update PHP to the latest recommended version
Contact your web hosting provider via their support channel and ask them to upgrade your PHP version to the latest recommended version for WordPress. Many hosts offer a PHP version selector in their control panel (cPanel or similar) that lets you choose versions with a simple dropdown menu. We recommend using 8.1, at a minimum. Upgrade everything else first, as newer versions of PHP can break older plugins and themes.
Set up automatic updates for minor releases
Go to Dashboard > Settings > General and look for the “Automatic Updates” section. Check the option for “Enable automatic updates for minor core releases” or edit your wp-config.php file by adding the line define( ‘WP_AUTO_UPDATE_CORE’, ‘minor’ ); (or ask your developer to do this). More advanced WordPress
Daily
Automated Daily Backups
If you have a managed WordPress hosting service, such as the one offered by WP Support HQ, this will automatically be taken care of for you.
Otherwise, sign up for a backup service like UpdraftPlus or BackWPup. After installation, navigate to the backup settings, select daily frequency, choose what to back up (files and database), and set a storage location (Dropbox, Google Drive, etc.). Most services have a one-click “Enable Daily Backups” option that handles the scheduling automatically.
Make sure you know how to get to the storage location outside of WordPress so you can get to the backup if your website isn’t accessible.
Hosting & Server Security
Choose a reputable, security-focused hosting provider by ensuring they meet all the following criteria; ideally, you will also want a hosting provider that not just hosts your site, but also manages all of these updates for you – just like we do here at WP Support HQ.
Uses PHP 8.1 or higher: Newer PHP versions contain critical security patches that protect against known vulnerabilities and exploits, while offering improved performance and security features.
Implements a Web Application Firewall (WAF): A WAF filters and monitors HTTP traffic between web applications and the internet, blocking malicious attacks like SQL injections and cross-site scripting before they reach your website.
Installs SSL certificate and enforce HTTPS: SSL certificates encrypt data transferred between users and your website, preventing data interception and establishing trust with visitors through the padlock icon and HTTPS protocol. SSL is also important for SEO.
Regularly scans for malware and removes any threats: Proactive malware scanning detects compromised files or suspicious code before they can harm your site or visitors, allowing for quick removal of threats.
Creates scheduled database backups: Regular backups ensure you can quickly restore your website in case of data corruption, ransomware attacks, or other catastrophic events without significant data loss.
Stores backups in offsite secure locations: Keeping backups in separate secure locations protects your recovery options from being compromised in the same attack that might affect your main site.
Optimizes and cleans your database regularly: Removing unnecessary data reduces potential attack surfaces and improves site performance, while also making backups more efficient.
Disables file editing in WordPress admin: Preventing direct file editing through the admin panel blocks attackers who gain admin access from immediately injecting malicious code into theme or plugin files.
Disables PHP execution in certain directories: Restricting where PHP can execute prevents attackers from uploading and running malicious scripts in upload directories or other non-essential locations.
Lastly, remember that security is an ongoing process, not a one-time task. Regularly reviewing and updating your security measures is essential for maintaining a secure WordPress website.
